A collection of information

Linux Foundation Secure Boot System Released

As promised, here is the Linux Foundation UEFI secure boot system. This was actually released to us by Microsoft on Wednesday 6 February, but with travel, conferences and meetings I didn’t really get time to validate it all until today. The files are here

I’ve also put together a mini-USB image that is bootable (just dd it on to any USB key; the image is gpt partitioned, so use the whole disk device). It has an EFI shell where the kernel should be and uses gummiboot to load. You can find it here (md5sum 7971231d133e41dd667a184c255b599f).

To use the mini-USB image, you have to enroll the hashes for loader.efi (in the \EFI\BOOT directory; actually gummiboot) as well as shell.efi (in the top level directory). It also includes a copy of KeyTool.efi which you have to enrol the hash of to run as well.

What Happened to KeyTool.efi?

Originally this was going to be part of our signed release kit. However, during testing Microsoft discovered that because of a bug in one of the UEFI platforms, it could be used to remove the platform key programmatically, which would rather subvert the UEFI security system. Until we can resolve this (we’ve now got the particular vendor in the loop), they declined to sign KeyTool.efi although you can, of course, authorize it by hash in the MOK variables if you want to run it.

Let me know how this goes because I’m very interested to gather feedback about what works and what doesn’t work. In particular, there’s a worry that the security protocol override might not work on some platforms, so I particularly want to know if it doesn’t work for you.

193 thoughts on “Linux Foundation Secure Boot System Released”

Great stuff!
Many thanks for your work and I look forward to using it with a portable Debian utility over the coming weeks (as time permits).
I know a lot of people are opposed to the idea of UEFI – I strongly support it, my only misgivings (strong concerns) are about the “vendors” role. Kudos to those concerned for getting the keysigning sorted.

Not sure if this did the trick or installing the other shim.efi file located on the link from Shimming Your Way To Linux on Windows 8 article. When I downloaded the ones you posted, Windows 8 wouldn’t let me open them. Thank you so much for your suggestions. One of these two did the trick, just not sure which one caused it to work. Whichever one worked, I think it happened after another restart. Thank you.

Then I copied it to a FAT usb key and started it. I added the hash of loader.efi which is gummiboot in that example. But of course it was not able to start the shell.efi without adding the hash of that binary.

So what changed compared to shim? Shim allows adding a hash or key but always requires signed binaries – even if the hash was added. So basically it is more easy to use.

I don’t think gummiboot was a good example bootloader because it can not start Linux as efi loader when you don’t add the hash. Grub 2 can boot unsigned Linux kernels however.

The bug that MS found is most likely in AMI UEFI implementation (also found in Asrock boards) that you can not reset changes to the key dbs. In my test board i have got an option to “Delete All Secure Boot Variables” and then “Install All Factory Default Keys” but all keys/hashes i added with Shim or this loader are valid till the ned of time. The bug is there with hashes as well – therefore i don’t get why they did not find that 😉

I also noticed that it would be maybe nice when you could hold down a key that is not used by any other loader to invoke the HashTool.efi.

Sorry, I regret I don’t have more time at present to help, and I don’t understand what you’re trying to do with the mount+fat stuff (too technical for me?).
But I checked this image in an emulator and it seems to work fine. I’ll do more when I get some other work done.
I’ve put up a small video if that’s useful. http://youtu.be/1fNhQYRIjD8

To the moronic anti-Microsoft chorus – so what? Your constructive solution is to do what? It’s a tool, use it. If you run away every-time MS embrace, extend and extinguish – you lose, which may bring you comfort but it advances nothing. There’s a reason why you’re social marginalised – and it’s not part of some corporate conspiracy.

@Randy Fry. Where does James say this is a release for everyone? If you’d like to contribute in a meaningful way I’m sure a well constructed bug report would be useful.

I looked at your video and it doesn’t show anything actually working. Using VirtualBox, I loaded the files onto an EFI formatted partition into the /EFI/BOOT directory and got the same exact results as you did but then I removed the device from the virtual machine and booted and I got the same thing.

This is your soulution to Microsoft secure boot? Really! Why don’t you reread your instructions above! What Windows user is gonna take the time to figure out how to implement the linux key, just to try out a linux distro!

Im not sure if you’ve noticed, but secuboot completely locked a few people out of the bios, possibly more. I bought a laptop with windows8 on it a few weeks ago, went to install my favourite flavour via USB and realized suddenly… I have no screen to access my bios from to boot from USB. People like me are screwed by Microsoft’s secuboot. It completely shut me out of the possibility of wanting to use my system in my own way. This is great news for me.

I have been , and currently a Windows Computer support person. I have been active supporting Windows for over 20 years, but find it frustrating to learn and work with Linux. First of all, I am not a programmer. Secondly, when I run into situations like this, where the industry hardware boot changes, I am stuck. I can download a new Bootloader.exe that will solve the Windwows UEFI boot from USB / CD problem. But when it comes to writing code and going through programmer type work arounds, for get it.

The Linux community needs to make this easy for people that are great with Windows, trying to learn Linux, but do not have the knowlege to do these work arounds. Something like a configured group of files that can allow you to go step by step …Formatting the USB, Copying files over to make it bootable. I have a really nice Linux utility for password resets, that is now useless. I personally like Linux better than Windows 8 by far, think it is cool, but get frustrated with even printer installs. Linux is getting much better, and I am getting excited. These situations are a set back for me.

Randy Fry: these instructions is for advanced users only. Users who want to install Linux distro on UEFI/Secure Boot computer will have to wait for distribution releases on April/May (Fedora/Ubuntu and related distros).

Seems like you folded to Microsoft UEFI and microsofts monopolistic decision to have OEMs use UEFI whether a consumer wants this or not under the guise of security when in fact its an effort to maintain control on MS part.

Who owns the hardware when one is highly controlled by UEFI to not be able to boot another operating system easily on a machine one has purchased with UEFI installed…answer Microsoft owns your hardware (similarly Apple owns your hardware on their systems which OS disks only boot on certain Apple machines).

“Linux Foundation Secure Boot System Released” is a title that falls short of describing that the article that follows is almost incomprehensible to the average user Linux user or not and appears at first glance because of that not to be a simple and convenient work around or alternative to Microsoft UEFI boot systems. More work is necessary such as a step by step directions description that is understandable and perhaps rethinking if acceeding to MS UEFI is not giving up the battle where instead UEFI should include the option not to use it from the get go of purchasing a machine at least (since being able to turn it off once started is not an option vis the security it is supposed to provide).

All in all when buying PC hardware one should not be forced to be intertwined with an operating system installed on it period or it seems one has not bought the hardware but instead is renting the right to operate the hardware purchased as well.

Why Microsoft is allowed to use its relationships to OEMs in this way seems to fly in the face of anti-trust law and the latter circumstance is what is objectionable and should be pursued.

Perhaps Windows 8 poor reception (except by “reviewers” with vested interests) will protect us all from MS by making them far less significant players in the OEM space through its perhaps worse than VISTA sales performance?

Does not answer the question of booting Linux without UEFI on a Microsoft UEFI system? Dual booting Linux sans UEFI and Microsoft windows X with UEFI. Microsoft X without UEFI etc etc. MS stands in the way of many options. What about Virtual Machines booting with UEFI and without using a MS OS. UEFI is in the way of lots of common applications of OS and hardware. UEFI should only be a requested option on hardware not a default of an operations systems provided by OEMS otherwise its just MS getting in the way as is all to usually the case and is offensive and insulting to the consumer who should be able to decide what they want and not be told what they will have….

Getting these bootmgr’s signed is a good first step, but the situation is not optimal. For instance, the BCD-based bootmgr from Windows no longer chainloads bootsector images (grub4dos,Wubi,…) so newcomers can’t try a Linux distribution without reformatting their drives.

Is there any effort in getting support from Microsoft for this in Windows 8 or a future version ?

Please provide checksums from secure algorithms too. It is trivial to generate two different files with different prechosen contents that still has the same MD5 checksum, there are tools that makes it simple.

SHA256 is secure enough (you don’t need any others than this one), as well as SHA512 or any of the SHA3 finalists.

I think you’re completely wrong. The notion that achieving perfection means never compromising is such nonsense. This is a great thing, because it means that more people will be able to run the software they want on UEFI hardware. There’s nothing to say the situation can’t improve

We’re currently investigating merging them. The main sticking point is the validity of the security override protocol. I released this version to see if it worked for everyone or if there was a reported problem with it.

I tried your sb-usb.img on a current Asus UX31A. I turned secure boot on
for the experiment. When the system accessed the stick with your image,
it offered me a way to enrol the three keys you describe in your
article. I followed the dialog and rebooted. After reboot I find in the
BIOS the stick as a first class boot option. So I assume this is what
you intended.

You do not describe what the system should do next. Some sort of Hello
world kernel would be handy indeed to find out if the thing behaves as
intended. In my case the Screen displayed an endless loop of a countdown
from Boot in 10 seconds to Boot in 0 seconds. I’m not sure what to try next.

Thanks for testing this. The image is supposed to have an efi shell as its hello world option. From what you describe, gummiboot isn’t displaying this. I’m still on the road at the moment, so I can’t really test this out except in ovmf until i get back home.

If you want to try boot to shell, you can copy shell.efi directly over /efi/boot/loader.efi on the stick.

And best provide a Debian package with your signed tools, you don’t have got any copyright infos or whatever which would be needed to create one. A fancy name would not hurt, do you call it just efitools-signed-1.3.5? Could you provide instructions how to delete the UEFI var which is used to store the hashes. Interesting would be as well if this is writeable from a booted Linux. As your tool requires the least changes to a working UEFI infrastructure I most likely will use it.

Did you do any testing at all for your tool? HashTool.efi doesn’t even recognize shim.efi as a proper EFI binary, same with other signed loaders I tried (in OVMF). Combined with inability to enroll certificates (I guess that’s KeyTool.efi), I don’t see why I should prefer your tool to shim.

Well Keytool is very cool, I did not test it first as it was not as extra download just in the sb-usb.img. After i tried the Keytool I found out what is missing in common firmware: You can NOT reset the MOK db. Using it I could remove all hashes I added and it asked me again.

The efitools source could be better howewer. After a few suggestions the Gummiboot code was modified in a way that it compiles without changes on Debian, in efitools you still see the RedHat/SuSE hardcoded paths (Hint: there is NO lib64 on Debian). Shim is not nice too but Ubuntu packaged it already.

I used the OVMF too lately and what i noticed was that the Keytool uses ESL and the Firmware itself wants CER. Shouldn’t Keytool support CER as well?

KeyTool does actually support .cer files. You have to be in setup mode for it to offer them as a choice, and it will zero out the GUID since cer files don’t carry that information, but other than that it should work (at least it works for me on my tunnel mountain system)

I understand both sides of the argument. Just like the differing viewpoints of Richard Stallman and the FSF regarding “free” as in freedom and also as in beer. I salute their intentions of free software “purity” and I support their efforts. However, to the extent it affects ME and my productivity, I will use the appropriate tool for the job in order to get things DONE! I PREFER an open-source tool/solution, but I will use a proprietary tool if needed (i.e. I prefer the Nouveau driver, but will use nVidia if Nouveau isn’t getting it done to my satisfaction). If that bothers the FSF purists, then improve the Nouveau driver to the extent that I will switch back, without compromise of what I need in MY computer! How does this apply to UEFI and secure boot? Bottom line, Windows is a malware magnet that must divert precious CPU resources to malware protection. To a certain extent, Linux is also viewed by MS as a certain type of malware that COMPLETELY shuts down Windows 😉 The MS solution isn’t to make its OS more robust, it’s to make anything non-Windows comparatively weaker. Since I refuse to return to Windows, I appreciate the efforts of any distro to provide a workaround for UEFI secure-boot. I am not smart enough, nor technical enough, to contribute to these efforts. But I have a solution also, that is equally viable and effective. Do NOT buy Windows computers! There are numerous vendors who provide Linux pre-installed, for substantially similar prices. Please support THOSE vendors and buy THEIR systems! If enough people do this, the hardware vendors WILL notice and they will be empowered to escape the MS mandate. Provide the vendors with an alternate route and insist on purchasing an OEM Linux system with UEFI disabled; install another distro after purchase, if you must, but do NOT feed your $$$ into the MS model. If enough people vote with their wallet(s), vendors WILL find the trail of bread crumbs and eventually create a less obstructed path to your wallet. That’s probably not the only solution, and maybe it’s not the best, but it is simple, elegant, and easily implemented…and THAT is what I will do!!!!

VERY, VERY well said, Jim. With a brand new ASUS with W8 on it, I’m reading everything I can to get Linux as my primary, without fouling up my start-up as a neophyte who doesn’t want to be a ‘tech’, and this UEFI matter is a bitter pill of distraction preventing me from getting done what I need to be doing. I’ve had all the experience I want in this life with MS “error”, “error”, and find that using Linux I glow while getting my work done. Thanks for your expressions.

Hear Hear… Am taking back my ASUS ROG 8480 with WIN8 Secure boot Crap and buying one with NO OS. Even after getting linux onto the machine, if i go into Win8, it updates itself EVERYTIME and I have to go through the headache again and again. To top it off Win8 which I have only had for 2 weeks is already showing signs of glitches and errors (as usual) and is also a B*T*H with resetting my DNS accounts and leaking my VPN.

Instead of some of you being upset, why don’t you take action?. Reporting Microsoft to the DoJ is a simple process, they are in clear violation of the Sherman Act. I have already reported them and it was of no use for a single person, I need all of you.

If you are in the EU, they are less friendly to Microsoft, report them please. Do your part to rid society of Microsoft’s evil. And yes, it truly is evil and despicable. I’m trying to get a Lawyer involved locally, only to write a legal letter to the DoJ but it’s difficult for me. I wish you all, if you love open platforms, would help.

I totally agree with you mike, because it is not a matter of working around Micro$oft imposing its totalitarian view into our hardware homes (now it is only laptops, Pcs and the like – but in a few time will be TV, Fridges, ovens and so one). This thing need pro-open-source people gathering in the streets and making noise to be heard by laws authorities to sue Micro$oft against restricting people choices who in past times sacrificed their lives and shed their blood to fight for freedom.
For you in Europe and United States is kind of easy to buy laptops with GNU/Linux pre-installed, but in other countries they do not have this choice.
So, do something more practical – Open Source Community – to stop this M$/Oem companies imposition over thousand of people around the world and stop playing cat and mouse with the “power dark side”. Because, at this point, M$ devs might be laughing of FOSS devs and the whole community. In my opinion this issue need to be taken to Hight Court in Europe and States, because it is not only a case of “working things around”.

If I have a PC with UEFI on it, can I boot linux live CD/DVDs without having to jump through any hoops?
Or for that matter, can I do it with USB Flash drives?

I do not see where the PC booting with UEFI can solve security problems other than locking out the ability of booting another OS supposedly to protect the personal data of a user.
And since linux, once booted, can access an NTFS partition of windows, and get the personal data there as well as modifying files etc., Microsoft wants to block any other OS from being able to boot or be installed.
UEFI does not protect windows from web based attacks.
It only prevents one from booting an OS like linux even if the purpose is to recover personal data from a trashed windows install or to remove files associated with a virus or malware.
I have used linux on a windows PC that ran XP to remove a scareware file that would pop up a window for each application on it saying the file was infected and to click on the link in the notice to buy and install their anti-virus software.

It will work for all distros, provided you move the distro provided loader from bootx64.efi to loader.efi
In theory, it should also be usable to boot Windows 8 using some form of chain loader (I think grub supports this). As long as you have the microsoft keys still in db, I think windows 8 should boot up in secure mode as well. Unfortunately, all the UEFI secure boot hardware I have is pre-release samples, so it didn’t come with windows 8 installed, so I can’t test this part.

This is not working for me on the Microsoft Surface Pro. I am able to boot GRUB2 from a USB disk with Secure Boot disabled by simply renaming it to \efi\boot\bootx64.efi. So I figured that if I rename PreLoader.efi to \efi\boot\bootx64.efi, copy HashTool.efi to \efi\boot and rename the original \efi\boot\bootx64.efi (GRUB2) to loader.efi I should be OK. Unfortunately this set up is still only working with Secure Boot disabled; when enabled, I get an error along the lines of “unauthorized boot manager” or something like that. Note that this error is not coming from HashTool.efi. It seems the system is refusing to even load PreLoader.efi (now renamed to bootx64.efi). What do you think could be the problem? Thanks

The Win8 logo requirements were pretty clear in making the distinction between a tablet and a PC. I’d guess the Microsoft key in the db variable isn’t actually the same one they mandate in all PCs meaning that the signed PreLoader isn’t signed with the right key for a surface pro. It would be interesting to see what the keys in this tablet are, though.

If you can actually disable Secure Boot, you should be able to run KeyTool.efi and it should be able to tell you the keys (and even save them to a USB key) … as long as they’re still visible, of course. Unfortunately, the surface is Microsoft manufactured, so I don’t really know what might be available in its UEFI system.

Actually I just tested sb-usb.img on an Acer V3 laptop and had the same problem, which leads me to believe that it is not just a tablet issue. Shim.efi didn’t work either. What do you think is going on? Could it be that we’re not supposed to boot from USB? Or that Windows 8.1 requires different keys than Windows 8? Or that keys vary by geographical location (I am in Canada)? Of course I can probably always manually enroll the keys but I would like to get to the bottom of this.

To be honest, I don’t actually know (I don’t have any new Windows 8.1 laptops here). One possibility, though is the multi signature support: Various people (including us) have been interested in it because shim or PreLoader could be signed with both the microsoft key and a distribution key meaning you could transition to a trust model where the secure boot bios didn’t need any windows keys. It is possible Microsoft is using this to update keys, so if Windows 8.1 were signed with both the standard UEFI key and another one and the ACER only had the other key, the symptoms might be what you describe. This is pure speculation, though, but extracting the keys would tell us one way or the other

Sorry to say but the OEM’s who want to be Microsoft Partners wont help us as I recently found out. Windows 8 machines are cheaper than regular hardware alone because Microsoft pays the OEM for a portion of that hardware in exchange for selling those machines with Windows 8 preinstalled. Ask any OEM rep and they won’t deny this. One HP rep I spoke to even said this was common knowledge but she didn’t know where I could find the info online. See this http://www.linuxforums.org/forum/coffee-lounge/194698-truth-about-microsoft-oems-linux.html HP offers no support for UEFI or even mentions it in their official documentation. When asked, the tech support says they don’t know anything about it. They refer you to talk to Microsoft which is silly because Microsoft didn’t make or install the UEFI with Secure Boot, they only require it’s use. What the HP rep told me is because they are getting money for the hardware from Microsoft, they do not have to make it easy for users to use UEFI to dual boot with Windows 8. They follow Microsoft’s wishes as a good Microsoft Partner. They scratch each others back. It’s a legal bribe IMO. I had to go over the tech supports heads and talk to a higher HP rep because I had questions about Microsoft required functionality that was not present in the HP UEFI firmware – the ability of the user to add or remove your own PK’s as required in the Windows 8 Certification Requirements for Client and Server Systems. See the link above, you’ll get the whole story.

I don’t doubt a single word you wrote, but I’m afraid you missed the thrust of my argument. My argument is simply this…DO NOT BUY OEM HARDWARE WITH WINDOWS, BUY OEM HARDWARE WITH LINUX PRE-INSTALLED! If enough people do this, System76 and ZaReason, etc… become “the next Dell” by blowing up with demand. Other hardware vendors will notice and will have to make a choice whether to continue business-as-usual by MS rules, or consider an alternative business model based on new-found consumer demand. I will be “rolling my own” desktop(s) and purchasing laptops from the aforementioned Linux vendors. If enough people feel as I do, and ACT accordingly, we can at least be heard and POSSIBLY(?!) even be considered and accommodated? If we could somehow create a groundswell of linux demand, MS is rendered an irrelevant and toothless tiger. It will take a while, but every beach starts with grains of sand. Just my 0.02…

Point taken, But many OEM’s like HP and Dell do offer Linux certified Computers and for those models they will give Linux support. I agree more vendors should sell Linux machines. Linux’s problem for the desktop consumer is simple. It’s advertising and image marketing that has fallen down. The Linux Desktop is certainly ready for a larger chunk of the marketplace. Linux needs a SuperBowl commercial. Huge billboards, and cooperation from places like Best Buy who won’t even service a Linux machine even if you bought the hardware from them. So HP and Dell makes Linux certified machines – where are the ads for this? They are non existent so people don’t consider Linux a viable option. http://www.techdrivein.com/2010/09/7-providers-of-pre-installed-linux.html This is what The Linux Foundation should focus on IMO. Just like everything else, the market wont grow without advertising.

Thank you for making this available for use. I have used the USB image to do a secure boot of Puppy Fatdog64 test version for UEFI on USB flash drive. It does work with some minor issues. The issues are mostly the result of my lack of knowledge. The details are here on the Puppy Forum at this url: http://www.murga-linux.com/puppy/viewtopic.php?t=83402

I do have a question. Where can documentation be found for the loader, hash tool, and key tool? Thank you in advance for any help with this.

I did do documentation for the unix key manipulation utilities that come with efitools, but I was rather hoping that PreLoader, HashTool and KeyTool would be pretty self explanatory, so I didn’t do much with them. The best I have is the README that comes with efitools (/usr/share/efitools/README)

I’ll get on that one ASAP. The original present user test system assumed that if it couldn’t find the SecureBoot variable, then it was on an ordinary UEFI platform and simply executed the next stage (loader.efi). I forgot to carry that over to the new PreLoader. It will probably take a couple of weeks to get the thing signed, though.

I just put out version 1.3.6 It should run flawlessly on non secure boot UEFI platforms. I’ve tested it on a tianocore ovmf image with secure boot removed, but if you could try it out on real hardware, I’d be grateful

Microsoft is bribing Hardware manufacturers, so other Operating Systems (other than Windows 8) cannot be booted on computers.

Dear James Bottomley and everybody else concerned,

I have important information for your regarding why it is not possible to boot linux on windows 8 machines and hardware.
Apearently Microsoft did that on purpose in collaboration with the hardware manufacturers and is paying the hardware manufacturers off (bribing them), so they would make sure that other operating-systems (besides Windows 8) cannot be installed on their hardware.
Please check out this article here for details on this:http://www.abovetopsecret.com/forum/thread926717/pg1

I guess the only way to make progress in this area is to sue microsoft, and possibly the hardware manufacturers. Microsoft has no interest to help Linux or any other operating systems to run on Windows Computers. They especially bribed the hardware manufacturers, so nobod else can run an other OS so easily on Windows Computers. Why should Microsoft now make it easier for Linux?
Everybody, please look into this.
Check out this link:http://www.abovetopsecret.com/forum/thread926717/pg1

Peter I believe the article you refer to was my own posted on ATS. It was removed because they have a policy that says I could not copy and paste even my own work from another forum, and I had posted the same on other forums. I remade the thread with the new title: The true conspiracy about Microsoft, PC Manufacturers and Linux and it’s found here: http://www.abovetopsecret.com/forum/thread927328/pg1 A copy of the original that you referred to is called The truth about Microsoft, OEM’s and Linux and can be found here: http://forums.linuxmint.com/viewtopic.php?f=58&t=124869

In these articles I detail my journey through Hell as I learn about UEFI and Secure Boot; the steps I took to get Mint to work with my UEFI with secure boot disabled and the shocking things I learned from talking to the HP reps.

Thank you for your answer; i follow your instructions but after the reboot i always unable to launch my linux OS after the reboot of my pc. please note that i was already installed my linux platform before to follow the previous steps;
Thanks!

Please i am not an expert on UEFI Technology but i have a windows 8 pc which give me serious headache because i want to run a linux system on it; can you explain little what do you understand by “…installs the PreLoader and HashTool to begin the process”
thanks for your answer! have a good day

As soon as the MS certificate is cracked, this secure boot nonsense will be less secure than if there wasn’t any. The reality is something better already existed where the user, after installing a clean system, could lock it down.

One other thing i noticed is when you use Fastboot with disabled usb init and you have to enrol a new hash you have got a problem. You can not use the keyboard without at least partial init. When you used Win8 first and then rebooted (which shift) then you have got keyboard access but when you then installed Linux as default with Fastboot then you can only hope that holding RESET for a few seconds will get you into the Setup to change Fastboot. So basically you did not gain too much as you can get lost this way. Just a tiny bit later then when you would have to go to Setup to disable Secure Boot. This can always happen when you update your bootloader. Not really optimal using a hash.

While in essence the point (from MS perspective) it may have made sense to start using the UEFI configuration of the system BIOS to lock down the security… I do believe it was mainly at the request of Mr Balmer to have it isolate the possibility of other OS’s being installed to run concurrently on the same hardware.

I personally think that their so-called “flagship” Windows 8 is a piece of crap! I have no intention of either installing the OS on any machine I buy/build/sell. Furthermore I have been swaying any client away from purchasing any device preloaded with Windows 8 derivative products, instead promoting Android based product simply for simplicity & reliability.

This is indeed a situation which warrants each computer user to register our complaints to the DoJ (or equivalent body in our respective countries), you see Mr Balmer the people are the ones with the power – NOT YOU!

We are trying it by renaming the grub loader bootx64.efi to loader.efi and using preloader as bootx64.efi … trying to boot with secure boot disabled on an HP DV7 laptop works fine, however with secure boot enabled we just get a black screen (no cursor). If i remove loader.efi then preboot says it can’t find loader.efi so it appears it’s trying to boot loader.efi and hanging. So the question is, is the problem with grubs loader or the way preloader is loading the grub loader?

On a different HP all-in-one system it booted, got it couldn’t load loader.efi, then said going to run something to add the hash, at which point I said yes, then had to select the loader.efi file then confirm to add it, choose return to uefi boot menu and system rest, booted back then it booted okay. So it’s something with the DV7 where it would say it can’t boot and to ask if to run hashtool. BUT, couldn’t it just be setup to ask if it’s okay to boot an unsigned .efi file? I mean your still getting the users confirmation before booting, essentially disabling it when the user doesn’t want to use it.

I tried using HashTool on a Thinkpad T530 and it appears that the MOK is not honored at all. I can add hashes to it all day long and still get refused on booting those files.

Also I tried to do the instructions for owning your own UEFI secure boot platform and found that while I can add keys in setup mode it does not allow me to ever delete the PK once it flips into user mode. I guess I shouldn’t be surprised that UEFI is buggy as hell at the moment but I fear that if lenovo isn’t getting it right then a lot of other vendors wont be either. this seems to be a tianocore based phoenix bios if that helps you any.

MOK isn’t a UEFI protocol it’s one that was invented by SUSE. The only way you can boot MOK authorised EFI binaries is to go via an intermediate UEFI binary that’s signed by Microsoft and which supports the MOK protocol (like shim or preloader).

b) By updating the ESP on the internal Harddisk. Where I created a EFI\LinFnd directory which contains the Preloader.efi, HashTool.efi and loader.efi (Gummiboot). And inturn changing the boot sequence using a combination of bcfg from efi shell and bcdedit (as win8 was reseting the efi boot order independent of the bios/efi firmware boot sequence).

However in both cases, found that hashtool.efi doesn’t seem to be successfully registering the hashes or the low level security hooking is not working, because I keep getting the failed image verification error for loader.efi and shellx64.efi (But both do run after telling failed verification). However the windows 8 bootmgfw.efi which I have added as a entry into gummiboot doesn’t give this failed image verification.

NOTE: Gummiboot seems to be behaving bit strangely wrt how it tries to pick the default boot entry (by ignoring its own loader.conf file wrt timeout as well as default entry and ignoring keypresses to allow menu selection – And I have to create a lot of dummy boot entries for gummiboot for it to fail to find the file to run and then inturn show its boot menu). Either way I have downloaded the source for gummiboot and will have to debug this seperately in the next few days, as I find time. As I can experiment on this with out requiring to get it signed by microsoft, due to your wonderful preloader.efi.

If you want me to do some experiments wrt preloader or give you more info on any aspects, do let me know either thro the forum here or thro my email id.

If the low level security hook isn’t being registered, there should be a splash error saying “Failed to install override security policy”. I’ll tighten up the check to make sure the override was installed (read back the memory we wrote to), but there may be something else going on.

I don’t really understand how the system can run the images after saying they failed verification, because that would be a pretty serious violation of the UEFI spec (one which Microsoft has said they’d revoke windows 8 certification for). What is the actual message you get before the binaries actually run?

Before enrolling the hash of a binary, the UEFI complains that the “image failed to verify with **ACCESS DENIED**”. When I confirm this, HashTool is loaded and I can enroll the hash.
Once the hash is enrolled, I still get an a dialogue with the message “image failed to verify with **ACCESS DENIED**” which I need to confirm. But after confirmation, the enrolled binary loads just fine. Note that this happens for every binary that is loaded, i.e. first gummiboot and then the Linux kernel.

james,
I got your mini-usb shell running on an ACER V5 171 machine.
From that I can get to the linux foundation bootloader.. and then into win8. ready to put debian wheezy on the machine now.
Many, many thanks for your work.

I”m just a regular, average guy who prefers, no requires linux over microsoft. I don’t understand such high level talk regarding a possible soln to my problem. I just want to know how to do it (how to get ubuntu installed on my system which bios does not have a feature to dissable secure boot). Is there a reliable tutorial that’s actually comprehansive (doesn’t skip any needed information) and comes down to a level the average user could make use of? If anyone knows of such a resource I would sure appreciate to learn of it. I’m stuck without a computer until I find a soln I can understand (or just legacy boot, which is what I had before and dd’ed/ repartitioned yesterday to try uefi install again).

Hi James
I have just tried Archlinux latest ISO dated “2013.07.01”. I have a Asus Crosshair V on the latest firmware available “1703”. When I start the DVD in UEFI mode, I get this error message,”Failed to install override security policy: (14) Not Found.” At this point all I can do is hit to the Ok button which ends the DVD from starting. Extremely frustrating to say the least. I do have more words but it would sound impolite to express them here. I do have an earlier Archlinux install DVD “2013.04.01” which works as it does not contain the “HashTool.efi” and “loader.efi”. Why is their no way to bypass this? The firmware does not have any secure boot switch to turn on or off. I would think that the EFI loader should be able to sense that hardware’s firmware does not have secure boot function and turn it’s self off, allowing for the boot to continue.
Thanks
Jeff

I’ve the same problem as Julian. “Failed to install override security policy: (14) Not found” after trying to boot from the UEFI USB Installer Stick of the recent ARCH LINUX. My motherboard is also ASUS M5A99X EVO with the recent firmware.

I’m a beginner in Linux and Efi development and very interested in preloader project. But i can’t download any files for tests using the links on this page. Where can i download them now? Thanks a lot.

where are hashes saved? on esp or in the motherboard firmware
does the shim and the preloader support loading several signed loaders? where is shim looking for keys?
Is there possibility to install the grub image on a bios_grub partition and esp at the same time? I need this to boot from portable hdd on computers of both types.

The hashes are saved in the db. This is part of the UEFI variables. You can e.g. enter your UEFI and save the keys. The db is where you will find the hashes. You can extract the stuff like this. Rename the db file to db.esl and the do this:

sig-list-to-certs db.esl db

Then you will get all keys and hashes from the db. The hashes seem to have some binary format and are 32 byte long.

This tool is part of efitools. I could not get them running on Fedora 20 but the key conversion part works.

If you have problems compiling the efitools do these changes in Make.rules: This worked for me.

Well I guess my answer was not quite correct. I mean – yes I find hashes in the db after adding them. But the puzzeling thing is: if I remove the db and install a db which has no hashes – only the certificates – the binaries added with HashTool are still accepted. So the real storage place must somewhere else.

Also I noted that if the db is taken directly from /sys/firmware/efi/efivars I have to remove the first four bytes (hex 27 00 00 00) from the file in order to have an .esl file.

I have written something to remove the header. But I am unsure whether the bytes which start the .esl in my case are always the same. Perhaps you should adapt DB_START and MOK_START in this tool for you.

sorry to be a pain about this but what is really missing is a step by step Approach. your readme on the mini usb iso is not accessible for me (es i know im stupid!) on account of the gpt partitioning. well anyway, learning by doing got me as far as bootx not being able to start loader.efi : error message (2). im tryig to run a live usb boot of kali Linux 64 bit off the newest .iso. on a win8.1 Laptop. it is an absolute uphill battle to do something really simple…. any help would be appreciated, in addition to that already given! Thanks!